Security update for ISC's DHCP server
ISC has released a security update for its DHCP server to remove two denial of service vulnerabilities. According to the report the server can be made to halt upon processing certain packets. With a DHCP server effectively down, clients on the network would no longer receive IP addresses and would therefore not be able to usefully connect to the network. The fix patches the system to correctly discard or process the packets that cause the problem.
The problem affects all end of lifed (EOL) versions of DHCP, version 3.1.0 through to 3.1-ESV-R1, all versions of 4.0 (now EOL), 4.1.0 to 4.1.2.rc1, 4.1-ESV to 4.1-ESV-R3b1 and 4.2.0 to 4.2.2rc1. The company recommends that users upgrade to supported versions from the company's download page (3.1-ESV-R3, 4.1-ESV-R3 or the current production release, 4.2.2).
ISC rates the severity of the problem as high but says that no public exploits of the problem are known. One of the problems was reported by a user at the University of Illinois and the other was discovered during testing. ISC's DHCP server is available under the ISC Licence.
(djwm)